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[Document Name] Specification 
[Title of the invention] 

Memory rewriting system for vehicle controller 
[Claims] 

5 [Claim 1] A memory rewriting system for a vehicle controller 
comprising : 

a memory area mounted in the vehicle controller and from 
and to which data can be deleted and written, the memory area 
storing first security data used to determine the presence 
10 of a permission of rewriting to the memory area; 

a rewriting device for transferring second security data 
from an exterior to said vehicle controller; and 

rewriting means mounted in the vehicle controller, for 
deleting the first security data and writing the second 
15 security data transferred from the rewriting device. 

[Claim 2] The memory rewriting system for a vehicle controller 
according to claim 1, wherein the second security data is 
written using a program; and 

wherein the program is stored in a memory area which is 
2 0 mounted in the vehicle controller and from or to which data 
cannot be deleted or written. 

[Claim 3] The memory rewriting system for a vehicle controller 
according to claim 1 or 2, wherein the second security data 
is arbitrarily set by the rewriting device. 
25 [Claim 4] The memory rewriting system for a vehicle controller 
according to any of claims 1 to 3, wherein the permission of 
rewriting with the first security data is provided if an 
ant i- theft system permits an operation of the vehicle. 
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[Detailed Description of the Invention] 
[0001] 

[Technical Field to which the Invention Pertains] 

The present invention relates to a memory rewriting system 
5 for rewriting a program stored in a memory of a vehicle 
controller with another program transferred from an external 
rewriting device. 
[0002] 
[PRIOR ART] 

10 Vehicles are subjected to various types of control by 

an electronic control unit (hereafter referred to as "ECU") . 
Such control includes engine-related control for an air fuel 
ratio, fuel injection amount, and emission as well as 
body- related control for a power window, an air bag, and an 

15 ABS . The ECU provides various types of control for the vehicle 
based on current conditions and traveling status of the vehicle 
sensed by various sensors mounted on the vehicle. 
[0003] 

On the other hand, the vehicle may include an anti- theft 
20 system. In general, the anti -theft system electronically 
checks if an ignition key used by a driver to start the engine 
is authentic. If it is determined that the key is authentic, 
the anti -the ft system transfers a signal for permitting vehicle 
operation to the ECU. Thus, until the permission signal is 
25 received, the ECU does not allow the engine to start by, for 
example, stopping fuel injection. If it is determined that 
the ignition key is not authentic, the driver is judged to 
be not an authorized person and cannot operate the vehicle. 
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[0004] 

The ECU comprises a central processing unit (CPU) , a ROM 
(Readonly Memory) that stores programs and data to be executed, 
a RAM (Random Access Memory) which provides a work area for 
5 execution and which stores results of computation, and an I/O 
interface for receiving signals from various sensors and 
transmitting control signals to various parts of the engine. 
[0005] 

The ROM often includes a rewritable memory such as a flash 
10 memory, anEEPROM, or an EPROM to allow a program or data therein 
to be rewritten. Japanese Patent Application Laid-Open No. 
63-223901 describes a method for changing a program stored 
in the EE PROM of the ECU in response to a request from an external 
device with the ECU being mounted on the vehicle. 
15 [0006] 

Such a function of changing a program or data stored in 
a ROM of the ECU makes it necessary to protect them from access 
from an external device, thus preventing a user or other third 
parties from rewriting a program or data stored in the ROM 

20 without proper authorization. Japanese Patent Application 
Laid-Open No. 3-238541 describes a vehicle controller for 
determining that a program or data in a ROM of the ECU is tampered 
using a check data mechanism. According to the mechanism, check 
data based on data stored in the ROM are stored beforehand. 

2 5 After shipment of the vehicle, the ECU creates new check data 
based on the data stored in the ROM. The ECU then compares 
the new check data with the previously stored check data, 
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determines that the data have been tampered if they are unequal 
and turns on the alarm light. 
[0007] 

A key for releasing the above-mentioned security feature 
5 is known only to a manufacturer of a rewriting device under 
contract to the automobile manufacturer. Thus, only the 
rewriting device authorized by the automobile manufacturer 
can use the "key" and change the data stored in the ROM of 
the ECU of that automobile. 
10 [0008] 

A typical procedure for changing a program in the ROM 
will be described in brief. The above -mentioned key is 
typically expressed by a certain function, which is provided 
both in the rewriting device and in the ECU. The rewriting 

15 device* is connected to the ECU and then uses its own function 
(i.e., key) to calculate a function value for an arbitrary 
numerical value transmitted from the ECU. The rewriting 
device then transfers the function value to the ECU. At the 
same time , the ECUuses its own function (i.e. , key) to calculate 

20 a function value for the same numerical value . The ECU compares 
the function value received from the rewriting device with 
the function value determined by itself. If they are equal, 
the ECU releases the security feature. Thus, the rewriting 
device is permitted to rewrite data stored in the ROM. If they 

25 are unequal, then the rewriting device is judged to be not 
authentic because the rewriting device and the ECU have 
different functions (keys) . Consequently, the security 
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feature is not released and the rewriting device cannot rewrite 
the data stored in the ROM. 
[0009] 

[Problems to be Solved by the Invention] 
5 The key for releasing the security feature, however, is 

conventionally stored in a non- rewritable area of the ROM in 
the ECU, so that it is impossible to use the rewriting device 
to change the key after the vehicle has been shipped. Thus, 
if the key is accidentally divulged to a user or another third 
10 party who is not authorized, a rewriting device other than 
the authorized one can rewrite the key in the ROM, thereby 
breaking the security feature. 

[0010] 

On the other hand, if the vehicle includes an anti- theft 
15 system and if a program used to operate the anti-theft system 

is rewritten, then the anti -the ft system would be invalidated. 

Accordingly, a system for rewriting a program or data stored 

in the ROM requires higher security than that for the anti - theft 

system. 
20 [0011] 

The present invention solves these problems. An object 
of the present invention is to provide a memory rewriting system 
for a vehicle controller which enables, even after shipment 
of the vehicle, changing of a key for releasing a security 
2 5 feature that prevents a program or data stored in the ROM of 
the ECU from being tampered. Even if the key has been divulged 
to a third party who is not authorized, the manufacturer can 
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use the rewriting device to change the key, thus enabling the 
security feature to be easily recovered. 
[0012] 

Another object of the present invention is to provide 
5 a memory rewriting system for a vehicle controller which can 
operate in cooperation with an anti-theft system. 
[0013] 

[Means to Solve the Problem] 

To solve the above problems, a memory rewriting system 

10 for a vehicle controller according to claim 1 comprises a memory 
area mounted in the vehicle controller and from and to which 
data can be deleted and written, the memory area storing first 
security data used to determine the presence of a permission 
of rewriting to the memory area, a rewriting device for 

15 transferring second security data from an exterior to the 
vehicle controller, and rewriting means mounted in the vehicle 
controller, for deleting the first security data and writing 
the second security data transferred from the rewriting device . 
[0014] 

20 According to the invention set forth in claim 1, even 

if the security data for determining the presence of the 
permission of rewriting to prevent data stored in the memory 
of the vehicle controller from being rewritten illegally is 
divulged to a third party, the rewriting device can change 

25 the security data, thus preventing illegal rewriting to the 
memory from spreading . 
[0015] 
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According to the invention set forth in claim 2, in the 
memory rewriting system for a vehicle controller according 
to claim 1 , the second security data is written using a program, 
and the program is stored in a memory area which is mounted 
5 in the vehicle controller and from or to which data cannot 
be deleted or written. 
[0016] 

According to the invention set forth in claim 2, the 
program for rewriting the security data is stored in the 
10 unchangeable memory area and is prevented from being tampered 
by a third party, thereby allowing the security data to be 
rewritten safely. - - 

[0017] 

According to the invention set forth in claim 3, in the 
15 memory rewriting system for a vehicle controller according 
to claim 1 or 2, wherein the second security data is set 
arbitrarily by the rewriting device. 
[0018] 

According to the invent! on set forth in claim 3 , the 
20 rewriting device can arbitrarily set a new security data, so 
that the new security data can be flexibly set without being 
divulged to any third person. 
[0019] 

According to the invention set forth in claim 4, in the 
25 memory rewriting system for a vehicle controller according 
to any of claims 1 to 3 , wherein the permission of rewriting 
with the first security data is granted if an anti-theft system 
permits an operation for the vehicle. 
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[0020] 

According to the invention set forth in claim 4 , the memory 
is rewritten only if the anti- theft system permits an operation 
for the vehicle, so that rewriting by an illegal driver is 
5 avoided, thus preventing information on the anti-theft system 
from being rewritten. 
[0021] 

[Mode for Carrying out the Invention] 

The present invention for rewriting a security program 

10 stored in a non-volatile memory of a vehicle controller will 
be described referring to attached drawings. The present 
invention, however, is not limited to the system for rewriting 
the security program but is applicable to various systems for 
rewriting data stored in a non-volatile memory. 

15 [0022] 

FIG. 1 shows an outline of a memory rewriting system 
according to one embodiment of the present invention. The 
memory rewriting system comprises an electronic control unit 
(ECU) 10 mounted on a vehicle 1 and a rewriting device 11. 

20 The rewriting device 11 is authorized by the manufacturer of 
the vehicle 1. The ECU 10 comprises a rewritable ROM (not 
shown) . As shown in the figure, when the rewriting device 11 
is connected to the ECU 10 and some appropriate operation to 
the rewriting device 11 is performed, a security feature for 

25 preventing a program or data stored in the ROM of the ECU 10 
from being rewritten without proper authorization is released . 
Thus, the rewriting device is allowed to rewrite the program 
or data stored in the ROM. 
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[0023] 

Rewriting is executed via serial communication between 
the ECU 10 and the rewriting device 11. A user can send data 
for rewriting to the ECU 10 by operating buttons on the rewriting 
5 device 11 and/or interacting with a display screen provided 
on the rewriting device 11. The rewriting device, however, 
is not limited to the form shown in the figure, but may be 
of another form having a protocol that enables communication 
with the ECU 10 . 
10 [0024] 

FIG. 2 is a functional block diagram showing the entire 
memory rewriting system according to one embodiment of the 
present invention. As described above, the memory rewriting 
system comprises the ECU 10 mounted on the vehicle and the 
15 rewriting device 11. The rewriting device 11 is provided 
outside the ECU 10 and connected thereto via serial 
communication. Alternatively, parallel communication may be 
used between the rewriting device 11 and the ECU 10. 
[0025] 

20 The ECU 10 comprises a central processing unit 14 

(hereafter referred to as a "CPU") including a microcomputer 
and associated circuit elements, ROMs 16 and 18 which are 
non- volatile memories and which store programs and data, a 
RAM 37 (Random Access Memory) which provides a work area for 

2 5 execution and which stores results of computations, and an 
I/O interface 38 for receiving signals from various sensors 
39 and transmitting control signals to various parts of the 
engine. Signals from various sensors 39 include an engine 
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rotation speed (Ne) , an engine water temperature (Tw) , an 
intake air temperature (Ta) , a battery voltage (VB) , and an 
ignition switch (IGSW) . Thus, based on a signal input from 
the I/O interface 38, the CPU 14 invokes a control program 
5 and data from the ROMs 16 and 18 to execute computations, and 
outputs the results to various parts of the vehicle via the 
I/O interface 38 to control various functions of the vehicle. 
[0026] 

The ECU 10 also comprises an interface 12. The interface 
10 12 has a protocol for communication with the rewriting device 
11 to enable serial communication between the ECU 10 and the 
rewriting device 11 . 
[0027] 

The rewritable ROM 16 is a memory from and to which stored 
15 data can be deleted and new data can be written The rewritable 
ROM 16 can be, for example, a flash memory or an EEPROM. The 
non- rewritable ROM 18 can be implemented by specifying a part 
of the memory area of the rewritable ROM as an unchangeable 
area, or by using a mask ROM for which data are fixed during 
2 0 manufacturing and from or to which data can subsequently not 
be deleted or written. Alternatively, the ROM 18 can be 
implemented with a PROM to which data can be written only once . 
[0028] 

The ROMs 16 and 18 can be implemented as two memories 
2 5 that are physically separated. Alternatively, the memory area 
of a single memory may be divided into two areas so that one 
of the areas is used as a rewritable area, while the other 
is used as a non-rewritable area. In the latter case , for example, 
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after a non-rewritable area in which a program or the like 
is stored has been specified in the EEPROM, a rewritable area 
is specified with a start address and an end address in the 
unfilled space of the memory. 
5 [0029] 

Now, examples of a form of the ROMs 16 and 18 and CPU 
will be described with reference to FIG. 3. In this figure, 
the ROMs 16 and 18 are implemented using a flash memory. FIG. 
3 (a) shows a form in which the flash memory is provided 

10 separately from the CPU. When a rewriting operation mode is 
entered through communication with the rewriting device, the 
CPU receives program code from the rewriting device, and 
invokes a program for rewriting the flash memory with the 
received program code. 

15 [0030] 

On the other hand, FIG. 3(b) shows a form having a built - in 
flash memory that constitutes one chip in conjunction with 
the CPU. When the rewriting operation mode is entered in 
response to a signal from the rewriting device, program codes 
20 transferred from the rewriting device is automat ically written 
to the flash memory using a function incorporated in the CPU. 
The memory rewriting system according to the present invention 
is applicable to either of the above forms. 
[0031] 

25 Referring back to FIG. 2, the rewritable ROM 16 stores 

a security function f 2 . The security function f 2 is an object 
of rewriting by the rewriting device 11 . The security function 
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f 2 realizes a security feature for preventing the data stored 
in the ROM 16 from being illegally rewritten. 
[0032] 

The non-rewritable ROM 18 stores programs for 
5 implementing an authentication part 31, a random number 
generator 33, and a rewriting part 35. The authentication 
part 31 is responsive to a request for releasing security from 
the rewriting device 11, and determines whether the rewriting 
device 11 is authentic using the security function f 2 and a 
10 random number R which is generated by the random number 

generator 33. Using the random number R enables the security 
f eature to be enhanced . If it is determined that the rewriting 
device is authentic, the authentication part 31 releases the 
security feature. After that, the rewriting part 35 deletes 
15 the security function f 2 and receives a new security function 
f 3 from the rewriting device 11 to write it into the ROM 16. 
[0033] 

The rewriting device 11 has a security function f x and 
a new security function f 3 . The security function f i implements 

20 the security feature in cooperation with the security function 
f 2 stored in the ROM 16 of the ECU 10. If the security function 
f 2 has not been changed by any third person, the security 
function f x of the rewriting device 11 is the same as the 
security function f 2 of the ECU 10. In another embodiment, 

25 the security functions fi and f 2 have a certain relationship. 
[0034] 

The new security function f 3 is to be stored in the ROM 
16 in place of the security function f 2 in order to implement 
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a new security feature. The new security function f 3 can be 
created by making certain changes to the current security 
functions fi and f 2 - According to one example , the new security 
function f 3 is a function that has a different expression from 
5 the security functions f i . According to another example, the 
new security function f 3 is a function that has different 
constant (s) in the function expression from the security 
functions f i . For example, when the functions fi and f 2 are 
f i = f 2 = A x R + B (A = 10 and B = 5) , the new security function 
10 f 3 is set such that f 3 = A + R x B (A = 10 and B = 5) . Alternatively, 
the values of the constants A and B of the functions fi and 
f 2 may be changed to 5 and 10 , respectively . 
[0035] 

The rewriting device 11 also comprises a security release 
15 request part 21 , a rewriting request part 23, and a data block 
assembling part 25, which may be stored in a memory of the 
rewriting device 11 as programs. The security release request 
part 21 uses the security function f x to request the ECU 10 
to release the security feature. 
20 [0036] 

The data block assembling part 25 assembles data blocks 
suitable for serial communication from program code of the 
security function f 3 . The data block assembling part 25 divides 
the program code of the security function f 3 into a plurality 
25 of pieces, each of which having a certain length (for example, 
8 bits) . An address field is added to each piece of the program 
code , or each partial program code . The address field includes 
a leading address of an area in which the partial program code 
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is to be stored. Thus, when each partial program code is 
transferred to the ECU, the ECU is informed of a location where 
the partial program code is to be stored. 
[0037] 

5 The rewriting request part 23 serially transfers to the 

ECU 10 the data blocks representative of the new security 
function f 3 assembled by the data block assembling part 25 
after the security feature has been released. 
[0038] 

10 An anti- theft system 81 is connected to the ECU 10 so 

that the memory rewriting system can exchange information with 
the anti-theft system 81. The anti-theft system 81 extracts 
an electronic code from an ignition key inserted into a key 
cylinder when the engine is to be started and compares the 

15 electronic code with a predetermined authorized code to check 
whether the inserted ignition key is authentic. If it is 
determined that the ignition key is authentic, the anti-theft 
system 81 transfers a signal indicative of a permission for 
engine start to the ECU 10 via an I/O interface 38 . In response 

20 to receiving this permission signal, the ECU 10 can start an 
engine . 
[0039] 

If it is determined that the inserted ignition key is 
not authentic, the permission signal is not output and the 
25 ECU 10 cannot start the engine. In response to the permission 
signal to the ECU 10, an engine start permission flag which 
may be stored in the RAM 3 7 or ROM 16 is set to a value of 
one. Although the anti-theft system 81 and the ECU 10 are 
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separately shown in FIG. 2, some of the functions of the 
anti-theft system 81 maybe included in the ECU 10 . For example, 
the authorization of the ignition key may be performed by the 
ECU 10. 
5 [0040] 

The operation of the memory rewriting system shown in 
FIG. 2 is described with reference to FIGS. 4 and 5. Rewriting 
operation is initiated, for example, when an operation button 
of the rewriting device 11 is pressed after the rewriting device 
10 11 has been connected to the ECU 10. Alternatively, the 

rewriting operation may be initiated by operating the ECU. 
[0041] 

At step 41, the security release request part 21 of the 
rewriting device 11 transfers a signal indicative of a request 
15 for releasing security to the ECU 10. The ECU 10 responds to 
this signal to start an authentication process for confirming 
that the authorized rewriting device is connected thereto. 
[0042] 

An example of the authentication process is shown in FIG. 

20 5. At step 51, the security release request part 21 of the* 
rewriting device 11 requests the ECU 10 to transfer an arbitrary 
number R. In response to this, the authentication part 31 of 
the ECU 10 is invoked. The authentication part 31 invokes the 
random number generator 3 3 that generates random numbers . The 

25 authentication part 31 arbitrarily selects the number R from 
the random numbers generated by the random number generator 
33 , and transfers the number R to the rewriting device 11 (step 
52) . Alternatively, a different mechanism may be used to set 
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the arbitrary number R. The rewriting device 11 uses the 
security function f x already stored therein to determine the 
function value Kl of the function fx for the number R based 
on Kl = fi(R) (step 53). 
5 [0043] 

On the other hand, the authentication part 31 of the ECU 
10 uses the security function f 2 stored in the rewritable ROM 
16 to determine a function value K2 based on K2 = f 2 (R) (step 

54) . The security release request part 21 of the rewriting 
10 device 11 transfers the function value Kl to the ECU 10 (step 

55) . The authentication part 31 compares the function value 
Kl from the rewriting device 11 with the internally determined 
function value K2 (step 56) , and if they are equal, determines 
that the rewriting device 11 is authentic. Subsequently, the 

15 authentication part 31 checks whether the engine start 

permission flag stored in the RAM 37 is a value of one (step 
57) . If the permission flag is one, this means that the engine 
start permission signal has been output from the anti- theft 
system 81 , and a signal indicative of a permission of rewriting 

20 is transferred to the rewriting device 11 (step 58) . Thus, 
the security feature needs to be released for rewriting data 
stored in the rewritable ROM, so that the current security 
functions f x and f 2 are used to release the security feature. 
With the anti- theft system mounted in the vehicle , the security 

25 feature for the memory rewriting system is released only if 
the anti -theft system has been released, thereby preventing 
an illegal driver from rewriting information relating to the 
rewriting system and the anti-theft system. 
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[0044] 

Referring to FIG. 4 again, if the ECU authenticates the 
rewriting device 11, the process proceeds to step 42. The 
rewriting request part 23 of the rewriting device 11 transfers 
5 a signal indicative of a start of rewriting to the ECU 10, 
and the rewrit ingpart 35 of the ECU 10 returns a start permission 
signal when ready for rewriting. At step 43, the rewriting 
device 11 transfers a request for shifting to a rewriting 
operation mode to the ECU 10, and then the rewriting part 3 5 

10 of the ECU 10 executes a process for shifting to the rewriting 
operation mode. At step 44, the rewriting request part 23 
queries the ECU 10 if the shift of the operation mode has 
completed. The rewriting part 3 5 transfers a signal indicative 
of a completion of the shift to the rewriting device 11 if 

15 the shift has been completed. 
[0045] 

At step 45, the rewriting request part 23 requests the 
security function f 2 stored in the rewritable ROM 16 to be 
deleted, and in response to this , the rewriting part 35 deletes 
2 0 the security function f 2 from the ROM 16. 
[0046] 

At this point, in the rewriting device 11 , the new security 
function f 3 has been prepared as a new security function. The 
function f 3 has been provided by the data block assembling 
25 part 25 as serial data blocks for transmission to the ECU 10. 
The security function f 3 is typically created before the 
rewriting device 11 transfers the request for releasing 
security or the notification for starting of rewriting to the 
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ECU 10. This preparation for the new security function f 3/ 
however, may be carried out immediately before the step 45. 
[0047] 

The new security function f 3 maybe prepared, for example, 
5 by selecting one from a number of functions previously saved 
in the rewriting device 11. Alternatively, a user may create 
the new security function f 3 by manipulating the rewriting 
device 11. 
[0048] 

10 At step 46, the rewriting request part 23 transfers the 

first one of the data blocks representative of the new security 
function f 3 to the ECU 10 together with a signal indicative 
of a request for writing. The rewriting part 3 5 receives the 
data block from the rewriting device 11 and writes a partial 

15 program code included in the data block to the rewritable ROM 
16 . Once writing of the partial program code has been completed, 
the rewriting part 35 transfers a notification of the 
completion of writing to the rewriting device 11. In response 
to this, the rewriting device 11 transfers a next data block 

20 to the ECU 10. This step 46 is repeated until all the program 
code of the security function f 3 is written into the ROM 16. 
[0049] 

Once writing of all the program code has completed, the 
rewriting request part 23 transfers a request for releasing 
25 the rewriting operation mode to the ECU 10 (step 47) . In 
response to this, the rewriting part 35 releases the rewriting 
operation mode. Since the rewriting device 11 has changed the 
security function stored in the ROM 16 to f 3 , the function 
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used by the rewriting device 11 is also set to f 3 so that the 
security feature can subsequently be implemented by means of 
the security function f 3 . After the new security function f 3 
has been written to the ROM 16 , the preceding security function 
5 f x may be deleted. 
[0050] 

FIG. 6 is a flow chart showing a process for releasing 
security executed by the rewriting device 11. At step 61, the 
rewriting device 11 requests a number R from the ECU 10. The 

10 rewriting device 11 subsequently receives the number R from 
the ECU 10 (step 62) . Upon receiving the number R, the rewriting 
device 11 calculates the function value Kl for the number R 
using the security function f x already retained therein (step 
63) . Subsequently, the rewriting device 11 transfers the 

15 function value Kl to the ECU 10 (step 64) . 
[0051] 

FIG. 7 is a flow chart showing a process for releasing 
security executed by the ECU 10. The ECU 10 receives the 
request for the number R from the rewriting device 11. Upon 

2 0 receiving the request, the ECU 10 sets the number R from random 
numbers (step 72) and transfers it to the rewriting device 
11 (step 73) . The ECU then calculates the function value K2 
for the number R using the security function f 2 already retained 
therein (step 74) . 

25 [0052] 

The ECU 10 receives the function value Kl from the 
rewriting device 11 (step 75) and compares the value Kl with 
the value K2 (step 76) . If they are equal, the ECU 10 checks 
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whether the engine start permission flag is one (step 77) . 
If the flag is one, the process proceeds to step 78 to set 
a rewriting permission flag, thereby indicating that the 
rewriting device 11 is permitted for rewriting. If the values 
5 are unequal at step 76 or the engine start permission flag 
is not set to a value of one at step 77, then the rewriting 
permission flag is set to zero (step 79) to indicate that the 
rewriting device is not permitted for rewriting and the process 
terminates . 
10 [0053] 

FIG. 8 is a flow chart of a process for rewriting executed 
by the rewriting device 11 . At step 81 , the rewriting device 
11 transfers a request for rewriting to the ECU. The request 
may actually include the notification for a start of rewriting, 

15 the request for shifting to the rewriting operation mode, and 
the like, as shown in FIG. 4. Upon receiving a permission of 
rewriting provided by the ECU 10 in response to the request 
for rewriting (step 82) , the rewriting device 11 creates data 
blocks of the new security function f 3 (step 83) . The new 

20 security function f 3 can be arbitrarily created using the 
rewriting device .11 as described above . The rewriting device 
11 then transfers the data blocks representative of the new 
security function f 3 to the ECU 10 (step 84) . 
[0054] 

25 FIG. 9 is a flow chart showing a process for rewriting 

executed by the ECU. Upon receiving the request for rewriting 
from the rewriting device 11 (step 91) , the ECU 10 checks whether 
the rewriting permission flag is set to one (step 92) . If the 
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flag is set to one, which means that the rewriting device 11 
has been proved to be authentic, then the ECU waits for the 
new security function f 3 transferred from the rewriting device 
11. In fact, processes such as shifting to the rewriting 
5 operation mode or deletion of the current security function 
f 2 from the rewritable ROM as shown in FIG. 4 can be executed 
between steps 92 and 93 . 
[0055] 

Subsequently, upon receiving the new security function 
10 f 3 (step 93) , the ECU writes this function f 3 to the rewritable 
ROM. Thus, the security function f 2 , which has been stored 
in the rewritable ROM, is rewritten with the new security 
function f 3 . 
[0056] 

15 [Advantageous Effect of the Invention] 

According to the invent ion set forth in claim 1 , even 
if the security data for determining the presence of the 
permission of rewriting to prevent data stored in the memory 
of the vehicle controller from being rewritten illegally is 
2 0 divulged to a third party, the rewriting device can change 
the security data, thus preventing illegal rewriting to the 
memory from spreading. 
[0057] 

According to the invention set forth in claim 2, the 
25 program for rewriting the security data is stored in the 
unchangeable memory and is prevented from being tampered by 
a third party, thereby allowing the security data to be 
rewritten safely. 
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[0058] 

According to the invention set forth in claim 3, the 
rewriting device can arbitrarily set a new security data, so 
that the new security data can be flexibly set without being 
5 divulged to any third person. 
[0059] 

According to the invention set forth in claim 4 , the memory 
is rewritten only if the anti -theft systempermit s an operation 
for the vehicle, so that rewriting by an illegal driver is 
10 avoided, thus preventing information on the anti-theft system 
from being rewritten. 



[Brief Description of the Drawings] 

[Figure 1] A view showing an outline of a memory rewriting 
15 system according to one embodiment of the present invention. 

[Figure 2] A block diagram showing an entire memory rewriting 
system according to one embodiment of the present invention. 

[Figure 3] A view showing examples of a form of a ROM and a 
CPU of an ECU in a memory rewriting system according to one 
2 0 embodiment of the present invention. 

[Figure 4] A view showing an operational procedure of a memory 
rewriting system according to one embodiment of the present 
invention . 

[Figure 5] A view showing an authentication procedure executed 
2 5 by a memory rewriting system according to one embodiment of 
the present invention. 
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[Figure 6] A flow chart showing a process for releasing security 
executed by a rewriting device of a memory rewriting system 
according to one embodiment of the present invention. 

[Figure 7] A flow chart showing a process for releasing security 
5 executed by an ECU of a memory rewriting system according to 
one embodiment of the present invention. 

[Figure 8 ] A flow chart showing a process for rewriting executed 

by a rewriting device of a memory rewriting system according 

to one embodiment, of the present invention. 
10 [Figure 9] A flow chart showing a process for rewriting executed 

by an ECU of a memory rewriting system according to one 

embodiment of the present invention . 

[Explanations of Letters or Numerals] 

10 ECU 11 rewriting device 

15 12 interface 14 CPU 

16 rewritable ROM 18 non- rewritable ROM 

81 anti-theft system 
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[Document name] Drawings 
[Figure 1] 
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[Figure 2] 
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[Figure 4] 



Rewriting Device ECU 
Request for Releasing Security 



Permission of 



Sh i f t i ng to Rewr i t i ng Mode 



Query about Completion of Shift 



Authent i eat i on 

Not i f i cat i on of Rewr i t i ng Start 



Permission of Rewriting Start 



jtequest for Shifting to 

tewriting Mode 



Completion of Shift 



Request for Deletion 
Completion of Deletion 



Request for Rewriting 



Completion of Rewriting 



Request for Rewriting 
Completion of Rewriting 



Request for Releasing the Rewriting 



Completion of Releasing 



Step 4 1 



Step 4 2 



Step 4 3 



Step 4 4 



Step 4 5 



Step 4 6 



Step 4 6 



Operation Mode 



Step 4 7 




[Figure 5] 



JP Application No. 2000-74236 



Rewriting Device 



ECU 



5 3 



K 1 = f ^R) 




5 2 



5 5 



Rewriting Permission 



5 8 



5 1 



Generate "R" 



o 4 



K 2 = f 2 (R) 



K 1 =K2 ? 



5 6 



5 7 



Engine Start 
Permission Flag= 1 ? 



FEB ^ 7 2005 



JP Application No. 2000-74236 



[Figure 7] 
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[Document name] Abstract 
[Abstract] 

[Problems to be Solved] This invention prevents illegal 
rewriting by enabling security data stored in a memory of 
a vehicle controller to be rewritten. 

[Means to Solve the Problems] A rewriting system for a vehicle 
controller mounted in the vehicle controller, comprising a 
memory area from and to which data can be deleted and written 
and which stores first security data for determining the 
presence of a permission of rewriting to the memory area, 
a rewriting device for transferring second security data from 
an exterior to the vehicle controller, and a rewriting means 
mounted in the vehicle controller, for deleting the first 
security data and writing the second security data 
transferred from the rewriting device. Since the information 
for implementing a security feature for rewriting can be 
rewritten, the security feature can be recovered even if the 
information is divulged to a third party. Furthermore, the 
rewriting system can operate in cooperation with an 
ant i - 1 he f t sy s t em . 

[Selected Figure] Figure 2 
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